ArchiPy is currently in active development. We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 2.x.x | ✅ |
We take the security of ArchiPy seriously. If you believe you've found a security vulnerability, please follow these steps:
- Please do not disclose the vulnerability publicly
- Email us directly at hosseinnejati14@gmail.com
- Include details in your report:
- Type of vulnerability
- Full path to the vulnerable file(s)
- Proof of concept if possible
- Steps to reproduce
- Impact of the vulnerability
- We will acknowledge receipt of your vulnerability report within 48 hours
- We will provide a timeline for a fix and release after assessing the report
- We will notify you when the vulnerability is fixed
- We will acknowledge your contribution (if desired) when we disclose the vulnerability
ArchiPy implements several security best practices:
- Static code analysis using
ruffandmypy - Pre-commit hooks for catching security issues early
- Regular dependency updates and security audits
- Built-in JWT token validation
- Secure password handling with proper hashing
- Role-based access control support
- Encryption support for sensitive data
- Secure transport via TLS
- Data validation via Pydantic models
- Secure connection pooling for databases
- Rate limiting support to prevent abuse
- Monitoring and logging for security events
When using ArchiPy in your projects, we recommend:
- Always use the latest version with security updates
- Set appropriate rate limits for APIs
- Implement proper authentication and authorization
- Keep your dependencies updated regularly
- Use environment variables for sensitive configuration
- Apply the principle of least privilege for database connections
When security vulnerabilities are reported, we follow this disclosure process:
- Confirm the vulnerability and determine its scope
- Develop and test a fix
- Release a patch for the vulnerability
- Announce the vulnerability (without specific exploit details) and credit the reporter (if desired)
Security updates are released as patch versions (e.g., 0.1.1 → 0.1.2) and are announced through:
- GitHub releases
- Release notes in the project documentation
- Communications to users who have opted in for security notifications
ArchiPy relies on several third-party packages. We regularly monitor:
- Security advisories for dependencies
- CVE databases for relevant vulnerabilities
- Updates and patches for all dependencies
We recommend users regularly run poetry update to ensure they have the latest secure versions of all dependencies.